For several years, the media has had a field-day reporting data breach after data breach. In turn, big corporations such as Target, Home Depot and Sony have scrambled to put a crisis communication plan in place as well as dole out millions of dollars in restitution. Cybersecurity is not just a “big-business” issue. We have seen several of our clients in the small-to-midsize business space innocently fall prey to a hacker. Has your data been compromised?
In a reactive effort to protect the rights of Rhode Island residents, Governor Gina Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 into law on June 26, 2015. The Act requires businesses to take several measures to ensure the security of private information of Rhode Island residents. Included in this law was a one-year transition period for businesses to comply. That date was July 2, 2016 and still, most businesses are unaware that the law even exists!
So what are the highlights of this law?
- If you are a Rhode Island employer, state agency, or municipality, regardless of your size, you must implement a “Risk-Based Information Security Program” to safeguard your employee’s or customer’s private information. In MA this is called a WISP (Written Information Security Program) and in CT it is called a Comprehensive Information Security Program.
- Private Information Includes: First & Last Name, Driver’s License Number (or other ID number), Social Security Number, Date of Birth, Medical or Health Information, Account Information (such as debit or credit cards or account information that require a password to access financial information) and Email addresses with any security codes that leads to private, medical or financial information. Check the law on RI.gov for more details!
- If a breach occurs in your company, you are required to alert the affected individuals within 45 days of discovering the breach. Get your PR plans in place sooner than later, just in case!
- Plan and Prepare the WISP: Before writing your Risk-Based plan, assess who this will apply to. A best practice would be to take the time to clean your database of names of people no longer affiliated with your company. Then, write the plan. There are specific details that must go into the plan including: access controls, network and physical security in place to protect the information, and data retention and destruction plans, to name a few.
- Potential Costly Penalties:
- Reckless Violation – a breach that occurs when you were unaware of the law incurs a fine of $100 per record.
- Knowing & Willful Violation – You were aware of the risks and chose not to comply with the law or protect your data, can be a $200 fine per record.
- Notifying Individuals: Along with notification within 45 days, your notification to impacted individuals must include the right to file a police report, instructions on how to freeze account information along with the associated fees, contact information of reporting agencies and the Attorney General’s Office.
- If a breach of over 500 Rhode Island Residents Occurs – the business is required to contact the Attorney General’s office.
A crucial component to consider for compliance are your technology requirements. Breathe easy if you can answer YES to the following questions. If not, it’s time to talk to your IT provider.
- Data Encryption – Are you sending documents via encrypted email? And, are your mobile devices encrypted, just-in-case, one is lost or stolen?
- Firewall – Does your office have an actively managed AND up-to-date firewall? And, is your IT vendor monitoring your firewall for breaches?
- Secure Wi-Fi – Is your Wi-Fi secured with a password? Does your wireless access point have a separate zone for guest-access?
- Data Backup and Disaster Recovery Solutions – Do you have a backup system that is off-site, encrypted, monitored and tested daily?
- A Written Network Security Plan – Do you have a plan in place to secure your network? Are the steps written out to deal with a security breach?
Satisfying these technology requirements will become an ongoing process for your organization. Multiple departments must participate to ensure compliance. This is also a time to start questioning your vendors to ensure their compliance of the new RI Data Security Law.
The wonderful world of hacking is a multi-billion-dollar criminal organization. The thought today should shift from “will a cyber-attack ever happen to me?” to “When will it happen?” You’ve worked so hard to build your corporate brand. Don’t let a hacker and your indifference toward this law destroy it.